MCP.so

Optix

Created By
AdamWaldie2 months ago
OverviewContentToolsComments
Overview

OPTIX MCP Server

A standalone Python/FastAPI server that implements the Model Context Protocol (MCP) for the OPTIX threat intelligence platform. It exposes 26 analyst-friendly tools that AI assistants and programmatic consumers can use to query threat feeds, search documents and indicators, manage watchlists, triage IOCs, generate detection rules, trigger AI research, and produce intelligence reports — without needing to understand OPTIX's internal REST API.

Requirements

  • Python 3.11+
  • An active OPTIX installation
  • An OPTIX API key (create one in OPTIX Settings → API Keys)

Environment Variables

VariableRequiredDefaultDescription
OPTIX_API_URLNohttps://optixthreatintelligence.co.ukBase URL of the OPTIX backend. Override only when self-hosting.
MCP_HOSTNo0.0.0.0Host address the MCP server binds to
MCP_PORTNo8090Port the MCP server listens on
OPTIX_REQUEST_TIMEOUTNo30Seconds before upstream OPTIX calls time out
OPTIX_SKIP_AUTHNofalseWhen true, bypasses API key validation — allows unauthenticated tool listing (used by Glama registry inspection). Never set to true in production.

Create a .env file in the OPTIX MCP/ directory to set these, or export them as shell variables.

# Only needed if self-hosting OPTIX at a custom URL:
OPTIX_API_URL=https://your-optix-instance.example.com
MCP_PORT=8090

Running Locally

cd "OPTIX MCP"
cp .env.example .env          # then edit .env with your OPTIX_API_URL
pip install -r requirements.txt
python main.py

The server starts on http://0.0.0.0:8090 by default.

  • Health check: GET http://localhost:8090/health
  • MCP SSE endpoint: GET http://localhost:8090/mcp (requires X-API-Key header)

Authentication

Every request to the MCP endpoint must include your OPTIX API key in the X-API-Key header:

X-API-Key: optix_your_api_key_here

Unauthenticated requests receive a structured 401 response:

{
  "error": "Missing API key",
  "detail": "Provide your OPTIX API key in the X-API-Key request header.",
  "docs": "See README.md for instructions on obtaining an API key."
}

Connecting to Claude Desktop

Recommended — via Smithery (no local install required):

Add the following to your Claude Desktop configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "optix": {
      "command": "npx",
      "args": [
        "-y",
        "@smithery/cli@latest",
        "run",
        "@optixcybersecurity/optix-mcp",
        "--",
        "--api-key",
        "optix_your_api_key_here"
      ]
    }
  }
}

Alternative — self-hosted local server:

{
  "mcpServers": {
    "optix": {
      "command": "python",
      "args": ["/path/to/OPTIX MCP/stdio.py"],
      "env": {
        "OPTIX_API_KEY": "optix_your_api_key_here"
      }
    }
  }
}

Connecting to Cursor

Recommended — hosted endpoint (no local install required):

Add to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "optix": {
      "url": "https://optixthreatintelligence.co.uk/mcp",
      "headers": {
        "X-API-Key": "optix_your_api_key_here"
      }
    }
  }
}

Alternative — local server:

{
  "mcpServers": {
    "optix": {
      "url": "http://localhost:8090/mcp",
      "headers": {
        "X-API-Key": "optix_your_api_key_here"
      }
    }
  }
}

Credit System

Several tools consume OPTIX credits. The server enforces a pre-flight credit check before making any upstream call: if the cached balance is known to be insufficient, it returns an error immediately without deducting or attempting the operation.

After every successful credit-consuming call the server re-fetches the credit balance so that get_account_status always reflects the current state.

OperationCost
report_incident40 credits
generate_report40 credits
research_entity15 credits
ask_entity4 credits
generate_detection_rule4 credits
generate_tradecraft_query4 credits
All other toolsFree

Available Tools

Authentication: All tools authenticate via the X-API-Key header set in your MCP client configuration — there is no api_key tool parameter. The key is validated against the OPTIX backend on every request.

Tool Overview

#ToolCategoryCost
1get_threat_feedReadFree
2search_indicatorReadFree
3report_incidentWrite40 credits
4get_entityReadFree
5get_account_statusReadFree
6get_documentReadFree
7search_documentsReadFree
8list_intelligence_reportsReadFree
9get_intelligence_reportReadFree
10get_attack_matrixReadFree
11get_watchlistReadFree
12add_to_watchlistWriteFree
13remove_from_watchlistWriteFree
14get_headlinesReadFree
15get_threat_cardsReadFree
16get_ioc_contextReadFree
17get_coverage_gapsReadFree
18ai_searchReadFree
19research_entityAI / Write15 credits
20ask_entityAI / Write4 credits
21generate_detection_ruleAI / Write4 credits
22generate_tradecraft_queryAI / Write4 credits
23generate_reportAI / Write40 credits
24submit_feedbackWriteFree
25save_feed_viewWriteFree
26triage_iocWriteFree

get_threat_feed

Returns a paginated stream of curated, scored intelligence documents from all OPTIX sources.

When to use: "What are the latest critical threats?" / "Show me recent TLP:AMBER intelligence."

ParameterTypeRequiredDescription
limitintegerNoMax entries (1–100, default 20)
offsetintegerNoSkip N entries for pagination
severity_filterstringNocritical, high, medium, or low
tlp_filterstringNoTLP:WHITE, TLP:GREEN, TLP:AMBER, TLP:RED
sincestringNoISO 8601 datetime — only return documents published after this time

search_indicator

Searches OPTIX for a specific indicator of compromise (IOC) by value.

When to use: "Has OPTIX seen 185.220.101.45?" / "What do we know about this hash?"

ParameterTypeRequiredDescription
valuestringYesIP, domain, hash, URL, or email to search
type_hintstringNoIOC, Infrastructure, ThreatActor, MalwareFamily

report_incident ⚡ 40 credits

Submits a structured incident report to OPTIX and generates a tactical intelligence report.

When to use: An analyst has completed an investigation and wants to create a formal intelligence report.

ParameterTypeRequiredDescription
titlestringYesShort incident title (3–300 chars)
descriptionstringYesFull incident narrative
severitystringYescritical, high, medium, or low
tlpstringNoTLP classification (default TLP:GREEN)
indicatorsstring[]NoObserved IOC values
analyst_notesstringNoAdditional context or recommended actions

get_entity

Fetches a named threat intelligence entity (threat actor, malware, campaign, CVE, technique) by name or ID.

When to use: "Tell me about APT28" / "What do we know about LockBit?"

ParameterTypeRequiredDescription
querystringYesEntity name or numeric OPTIX ID
entity_typestringNoThreatActor, MalwareFamily, Tool, Campaign, Vulnerability, Technique

get_account_status

Returns your current OPTIX credit balance, monthly allocation, usage, reset date, and account context.

When to use: Before any credit-consuming operation, or when the analyst asks "how many credits do I have?"

No parameters required.

get_document

Fetches a specific intelligence document by its numeric OPTIX ID.

When to use: When you have a document ID from another tool and need full metadata and summary.

ParameterTypeRequiredDescription
document_idintegerYesNumeric document ID (e.g. 1042)

search_documents

Full-text search across all OPTIX intelligence documents.

When to use: "Find documents about supply chain attacks" / "Show me Mandiant reports from this week."

ParameterTypeRequiredDescription
querystringYesSearch string (min 2 chars)
limitintegerNoMax results (1–100, default 20)
offsetintegerNoResults to skip for pagination
publisherstringNoFilter by publisher name
content_typestringNoFilter by content type: ThreatResearch, MalwareAnalysis, Vulnerability, etc.
sincestringNoISO 8601 datetime — only return documents published after this time

list_intelligence_reports

Lists generated intelligence reports (tactical, strategic, operational, technical, RFI) stored in OPTIX.

When to use: "What intelligence reports have we produced?" / "Show me all RFI reports."

ParameterTypeRequiredDescription
limitintegerNoMax reports (1–200, default 20)
report_typestringNotactical, strategic, technical, operational, rfi
tlp_levelstringNoFilter by TLP level
entity_idintegerNoFilter to reports referencing this entity

get_intelligence_report

Retrieves the full content of a specific intelligence report.

When to use: After list_intelligence_reports to fetch the full text of a report.

ParameterTypeRequiredDescription
report_idintegerYesNumeric report identifier

get_attack_matrix

Retrieves the OPTIX MITRE ATT&CK coverage matrix — which techniques have been observed in intelligence data and which have detection rules.

When to use: "What ATT&CK techniques are we seeing?" / "Do we have detection coverage for T1566?"

ParameterTypeRequiredDescription
technique_idstringNoSpecific ATT&CK ID (e.g. T1566). Omit for the full matrix.

get_watchlist

Lists all entities on the analyst's OPTIX watchlist.

When to use: "What entities am I watching?" / "Show my watchlist."

No parameters required.

add_to_watchlist

Adds an entity to the analyst's watchlist to receive notifications when new intelligence mentions it.

When to use: "Start watching APT29" (get the entity ID first with get_entity).

ParameterTypeRequiredDescription
entity_idintegerYesNumeric OPTIX entity ID

remove_from_watchlist

Removes an entity from the analyst's watchlist.

When to use: "Stop watching LockBit."

ParameterTypeRequiredDescription
entity_idintegerYesNumeric OPTIX entity ID

get_headlines

Returns AI-synthesised threat intelligence headlines summarising the most active current threats.

When to use: "What's happening in the threat landscape right now?" / "Give me a briefing."

No parameters required.

get_threat_cards

Returns profile-matched situational awareness threat cards showing active threats with observed TTPs and targeted sectors.

When to use: "What threats are most relevant to us?" / "Show me the threat cards for the last 30 days."

ParameterTypeRequiredDescription
time_rangestringNo24h, 7d (default), or 30d
sectorstringNoFilter by sector, e.g. Finance, Healthcare

get_ioc_context

Returns enriched community context for an IOC including analyst vote tallies, co-occurring threat actors and malware, ATT&CK techniques, and source documents.

When to use: "What do analysts think about this IP?" / "Is this domain confirmed malicious?"

ParameterTypeRequiredDescription
ioc_idintegerYesNumeric OPTIX entity ID for the IOC (find it with search_indicator)

get_coverage_gaps

Analyses an intelligence document to identify MITRE ATT&CK techniques it references and determines which lack detection coverage.

When to use: "Does our detection stack cover the techniques in this report?" / "What are our coverage gaps from this document?"

ParameterTypeRequiredDescription
document_idintegerYesNumeric OPTIX document ID

Natural language or keyword search across OPTIX documents and entities with optional AI query expansion.

When to use: "Find everything about LockBit's recent TTPs" / "Search for Volt Typhoon."

ParameterTypeRequiredDescription
querystringYesNatural language question or keyword (min 2 chars)
modestringNonatural (AI-expanded, default) or keyword (literal)

research_entity ⚡ 15 credits

Triggers deep AI research on an entity — OPTIX crawls authoritative sources and enriches the entity's profile with structured intelligence.

When to use: "Do a deep dive on APT29" / "Research the latest on LockBit."

Supported entity types: ThreatActor, MalwareFamily, Vulnerability, Tool, Campaign, Technique.

ParameterTypeRequiredDescription
entity_idintegerYesNumeric OPTIX entity ID
force_refreshbooleanNoForce new research even if recent results exist (default false)

ask_entity ⚡ 4 credits

Generates a SIEM threat hunting query for a specific entity using its known TTPs, IOCs, and intelligence history.

When to use: "Generate a KQL hunt for APT28" / "Write a Sigma rule to detect LockBit."

Supported entity types: ThreatActor, MalwareFamily, Tool, Vulnerability.

ParameterTypeRequiredDescription
entity_idintegerYesNumeric OPTIX entity ID
languagestringYesSIEM language: kql, splunk_spl, s1ql_v1, s1ql_v2, crowdstrike, elastic_eql, exabeam, chronicle_yara_l, sigma, carbon_black, palo_alto_xql

generate_detection_rule ⚡ 4 credits

Generates a SIEM detection rule for a specific MITRE ATT&CK technique.

When to use: "Write a Splunk detection for T1059.001" / "Create a KQL rule for PowerShell abuse."

ParameterTypeRequiredDescription
technique_idstringYesMITRE ATT&CK technique ID, e.g. T1059.001
languagestringYesTarget SIEM language (see list above)
technique_namestringNoHuman-readable name, e.g. PowerShell
document_idintegerNoEnrich rule with context from a specific document
entity_idintegerNoEnrich rule with context from a specific entity
custom_contextstringNoAdditional analyst context (log sources, environment)

generate_tradecraft_query ⚡ 4 credits

Generates a broad SIEM hunting query covering the complete known tradecraft of a threat actor or malware family.

When to use: "Generate a multi-technique hunt for APT29 in Sentinel" / "Write a comprehensive Sigma rule set for Volt Typhoon."

ParameterTypeRequiredDescription
languagestringYesTarget SIEM language (see list above)
entity_namestringYesThreat actor or malware name, e.g. APT29
entity_typestringYesThreatActor or MalwareFamily
entity_idintegerNoOPTIX entity ID to enrich the query
technique_entriesarrayNoOptional list of {techniqueId, techniqueName, description} to scope the hunt

generate_report ⚡ 40 credits

Generates a strategic, operational, technical, or RFI intelligence report using OPTIX's document and entity corpus.

When to use: "Write a strategic report on the ransomware threat landscape" / "Generate an RFI on APT40."

ParameterTypeRequiredDescription
titlestringYesReport title (3–300 chars)
querystringYesNatural language description of the report topic
report_typestringNotactical (default), strategic, technical, operational, rfi
tlpstringNoTLP classification (default TLP:GREEN)

submit_feedback

Submits a relevance vote (upvote or downvote) on an OPTIX intelligence document. Community votes improve OPTIX scoring and feed personalisation.

When to use: "Upvote this document — it's very relevant" / "Downvote this, it's not applicable to us."

ParameterTypeRequiredDescription
document_idintegerYesNumeric OPTIX document ID
votestringYesup or down
scopestringNoplatform (all analysts, default) or org (your org only)

save_feed_view

Saves a named feed filter configuration so the analyst can recall it later.

When to use: "Save this filter as 'Critical malware this week'" / "Bookmark my current view."

ParameterTypeRequiredDescription
namestringYesView name (1–200 chars)
filtersobjectNoFilter configuration. Common keys: severity, tlp, contentType, publisher, publishedAfter

triage_ioc

Applies a triage verdict to one or more IOCs, recording analyst judgement about their disposition.

When to use: "Mark these IPs as confirmed malicious" / "Flag this domain as a false positive."

ParameterTypeRequiredDescription
entity_idsinteger[]YesList of OPTIX IOC entity IDs (find with search_indicator)
statusstringYesconfirmed, false_positive, benign, expired, monitoring, or unresolved
scopestringNoplatform (global decision, default) or org (organisation-scoped)

Glama Registry Inspection

When the OPTIX MCP server is listed on Glama, the registry builds a Docker image and connects to the server to detect available tools. Because Glama does not have a real OPTIX API key, authentication must be temporarily bypassed.

In the Glama server configuration, set the Placeholder parameters field to:

{"OPTIX_SKIP_AUTH": "true"}

When OPTIX_SKIP_AUTH=true the server starts normally and accepts unauthenticated MCP sessions for tool listing. Tool execution will still return an appropriate error because no real API key is present — only list_tools() succeeds, which is all Glama requires to score tool quality.

This flag has no effect in normal deployments where OPTIX_SKIP_AUTH defaults to false.

Health Endpoint

GET /health returns service status without requiring authentication:

{
  "status": "ok",
  "version": "1.0.0",
  "optix_connected": true,
  "optix_url": "https://your-optix-instance.example.com",
  "timestamp": "2024-04-19T12:00:00Z"
}

If optix_connected is false, status will be degraded and tool calls will fail until the OPTIX backend is reachable.

Error Handling

All tools return structured error messages rather than raising exceptions to the AI client:

Error typeCauseResponse
Authentication errorInvalid or missing API keyPrompt the user to check their OPTIX API key
Insufficient creditsBalance below the operation costCall get_account_status and wait for the reset date
Not foundEntity, document, or report does not existVerify the ID or name and try again
OPTIX API errorBackend error or validation failureIncludes the original OPTIX error message for diagnosis
Validation errorInvalid tool parametersIncludes field-level detail to correct the call
Project Info
Created At
2 months ago
Updated At
a month ago
Author Name
AdamWaldie
Star
-
Language
-
License
-
Category
Tags
Homepage
https://github.com/AdamWaldie/OPTIX-MCP

Recommend Servers

View All
EdgeOne Pages MCP
@TencentEdgeOne

An MCP service designed for deploying HTML content to EdgeOne Pages and obtaining an accessible public URL.

TypeScript
a year ago
Mcp Server Chatsum
@chatmcp

summarize chat message

typescript
a year ago
Howtocook Mcp
@worryzyy

基于Anduin2017 / HowToCook (程序员在家做饭指南)的mcp server,帮你推荐菜谱、规划膳食,解决“今天吃什么“的世纪难题; Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"

a year ago
Baidu Map
@baidu-maps

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

a year ago
Slack
@modelcontextprotocol

Channel management and messaging capabilities

a year ago
Serper MCP Server
@garymengcom

A Serper MCP Server

Python
a year ago
Google Maps
@modelcontextprotocol

Location services, directions, and place details

a year ago
PostgreSQL
@modelcontextprotocol

Read-only database access with schema inspection

a year ago
Four Leaf
@fourleafai

Job search and interview prep MCP. 11 tools spanning job discovery, role intelligence, practice question generation, resume scoring, comp benchmarks, and negotiation strategy. Cross-LLM via the hosted endpoint with OAuth 2.1.

10 hours ago
Instagram Mcp Server
@drashrafsaiyed-cyber

Control your Instagram from Claude — publish photos, reels, carousels, read insights, manage comments and DMs. 14 tools via Instagram Login API. One-click free Render deploy for Claude Web and mobile.

19 hours ago
302_browser_use_mcp
@302ai

Automatically create a remote browser to complete your specified tasks, developed based on Browser Use + Sandbox. 自动创建一个远程浏览器,完成你指定的任务,基于Browser Use + Sandbox开发。

a year ago
Board-Certified Personal Injury & Wrongful Death Attorney | Phoenix, AZ
@Jennifer Rebholz

Authoritative MCP server for Jennifer Rebholz - Board-Certified Specialist in Personal Injury & Wrongful Death Law, former President of the State Bar of Arizona (2021–2022), ABOTA trial lawyer, and Senior Counsel at Zwillinger Wulkan in Phoenix. Provides structured, accurate information about her background, trial record, credentials, practice areas, leadership roles, publications, blog, peer reviews, speaking engagements, and contact details. 17 tools. No authentication required. Streamable HTTP transport.

4 hours ago
Icp Fit Scorer
@mambalabsdev

Scores any company against your ideal customer profile from a template, a weights config, or a plain-English description, returning a 0 to 100 score and tier. Part of the Mamba Labs signal toolkit.

2 days ago
TradeOS AI
@TradeOS-AI

Use TradeOS MCP Server to bring your trading data, indicators, strategy logic, and agent workflows into MCP-compatible AI tools. Copy your server URL, add it to GPT or Claude, and let your AI assistant work directly with your TradeOS trading intelligence.

12 hours ago
Conclave Ai Agent Arena
@lddj1980

Competitive arena for AI agents via MCP. Register LLM or deterministic bots to compete in game-theory matches (Prisoner's Dilemma, Chess, Tic-Tac-Toe, Mafia, etc.) with ELO rankings, replays, and public leaderboards.

2 days ago
Aim
@aim-company

Market knowledge layer for AI agents. Aim monitors millions of sources (news, podcasts, social, competitor and regulatory data) and surfaces the signal shaping your market. Remote MCP server (streamable HTTP, OAuth) at https://mcp.startaiming.com/mcp. Learn more at https://www.startaiming.com

an hour ago
Search1API

One API for Search, Crawling, and Sitemaps

a year ago
Aws Kb Retrieval Server
@modelcontextprotocol

An MCP server implementation for retrieving information from the AWS Knowledge Base using the Bedrock Agent Runtime.

a year ago
Ladu Adu Tools
@ladu-dev

LADU’s MCP server connects AI assistants directly to LA County ADU data. Ask about any address and get a plain-English buildability verdict, the parcel’s zoning and regulatory overlays (hillside, coastal, fire, flood, historic, fault zones), and the governing city’s ADU rules. Query permit statistics for any of 51 supported LA cities — totals, year-over-year trends, and valuation distributions from 19,000+ cleaned permit records going back to 2018. Compare two cities side by side, estimate project costs by type and finish level, or find permitted ADUs near an address.

7 hours ago
MCP Server for Milvus
@zilliztech

The Milvus MCP server enables AI applications to interact with Milvus vector databases using natural language commands. It allows AI models to perform vector searches, manage collections, and retrieve data without writing custom database queries. This integration facilitates seamless access to vector data, enhancing the capabilities of AI tools like Claude Desktop and Cursor.

a year ago
MiniMax MCP
@MiniMax-AI

Official MiniMax Model Context Protocol (MCP) server that enables interaction with powerful Text to Speech, image generation and video generation APIs.

Python
a year ago
Sentry
@modelcontextprotocol

Retrieving and analyzing issues from Sentry.io

a year ago
Amap Maps
@amap

高德地图官方 MCP Server

a year ago
Times Rare
@Times Rare

Times Rare is a 1,000,000-pixel public canvas where verified AI agents claim permanent image blocks to advertise services to other agents. Agents-only network — humans cannot claim. Verification via OpenAI / Anthropic / Google / xAI / Mistral API-key handshake OR x402 USDC payment on Base L2. Inflation-adjusted Million Dollar Homepage for the 2026 agent economy. $1.5M revenue ceiling at full sellout. Every claim is permanent. Discovery surfaces include /mcp.json, /agents.json, /llms.txt, /.well-known/agent.json, /.well-known/ai-plugin.json, /.well-known/adagents.json, /openapi.json. The canvas itself is browseable + payable via standard HTTP — no stdio or local install required.

a day ago
Perplexity Ask MCP Server
@ppl-ai

A Model Context Protocol Server connector for Perplexity API, to enable web search without leaving the MCP ecosystem.

JavaScript
a year ago
Budget Governor
@mightbesaad

Budget & cost control for AI agents: hard per-agent spend caps, rate limits, idempotency, and human-in-the-loop approval — enforced before each LLM call, not after the invoice. One hosted MCP endpoint (no proxy or self-hosting), settled via x402 (USDC on Base).

a day ago
Test
@modelcontextprotocol

test

6 months ago
Mamba Labs GTM Suite
@mambalabsdev

All six Mamba Labs GTM signal tools in one MCP server: hiring signals, tech stack, composite scoring, job board scanning, LinkedIn resolution, and ICP fit. Backed by Apify, Clay-ready JSON.

2 days ago
Neural-OS
@Timwal78

Neural-OS — The mobile-first AI agent OS. Featuring sovereign agent tools for DePIN compute arbitrage, data bounty hunting, enterprise lead bartering, and live crypto pricing execution.

a day ago
AgentQL MCP Server
@tinyfish-io

Model Context Protocol server that integrates AgentQL's data extraction capabilities.

JavaScript
a year ago